-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-22_05.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2023-02-15
Credits:        Fabien MAISONNETTE (Alstom) https://fr.linkedin.com/in/fabdotnet
Affects:        pfSense Plus software versions < 22.05
                pfSense CE software versions <= 2.6.0
Corrected:      2022-04-14 13:36:43 UTC (pfSense Plus master)
                2022-04-14 13:36:43 UTC (pfSense CE master, 2.7.0)
                2022-04-14 13:39:39 UTC (pfSense CE 2.6.0)

0.   Revision History

v1.1  2023-06-19 Updated with CE 2.7.0 release information
v1.0  2023-02-15 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in firewall_aliases.php, a
component of the pfSense Plus and pfSense CE software GUI.

This problem is present on pfSense Plus version 22.05, pfSense CE version 2.6.0,
and earlier versions of both.

The page did not sanitize the contents of URL Table Alias URL parameters nor did
it encode the output when it included the value of that parameter in the page
when viewing the list of aliases on the URL or All tabs, leading to a possible
XSS.

III. Impact

Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 22.05 or later, or pfSense CE
software version 2.7.0 or later. This upgrade may be performed in the web
interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense CE version 2.6.0 may apply the fix from the recommended patches
list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   ac6e07b50d1f72d689eee3ad16427c975482adc3
pfSense/master                     ac6e07b50d1f72d689eee3ad16427c975482adc3
pfSense/RELENG_2_6_0               528e53e8bb86642e38aa098226f5b74951d6a7bb
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/13060>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-22_05.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmSQeqMACgkQE7mH/ZIU
+NomIg//Q8fINrmMugou9svbq4jXVoeXO5aECGvAF7te1JyIrzy03+NJ3E+iyRU3
EXtAEta66eQBF1AFY6x6OxXbwARq3gtuDuZXLi/q4ICWcOqI1h0YVb9FxX9xAgcJ
RwMuq1W8DGBZtD1exWdqZKJeUd5vUktDYfeW0IiY8uBUG3Pl3kocA15fRK63vFtC
Ggd+Xi1Xsg4rzoHwf+9WE1Z2bzpc6ex8cKhjGM7QnQ6k4sHfl5x8c8WN6UcEYXz6
Ms1lf5S3i+1cNDZG/gsjjcX6vN37W1+zklm+z9wmnPaRUp70AwQ8UoorL0ZL307h
bBxCAtZO5+GogWzCobQzdUX0E9xe/qg+ceZnhVrVp9Pg9qDB025E/Pg2iU/Sofjh
LSElgjLMmYKqrGwtsxLtD1sDSQIEecYGvLlR5UUUZ5oE0lKnUKgzHIn6w/T7mYBq
o8qDukgMnDN1ogLTcg7bk3UXtwK9PCrScPpuhjucPLHff03Akc9nTOL7YxAZLJTA
Z1ciBy0SD94Zqi6mAIRmWik+CsolxVbkA7P1u4S+OAfGpeSb9zUfUqEhlKp5XSr6
Yt8j4UG9MItZRaQeDaDFpJuiQOjlFNNg21JCLK03TL5X9jq255/AEPYU5Z6y2qbw
WXCspXTBlJnVw39lahsBHJBk/Dh1oxNG00SvTswc0aCeob27YcU=
=Cs28
-----END PGP SIGNATURE-----